Towards the specification of access control policies on multiple operating systems

Lawrence Teo, Gail Joon Ahn

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Scopus citations

Abstract

In the past, operating systems tended to lack well-defined access control policy specification languages and syntax. For example, a UNIX operating system that is based on the Discretionary Access Control (DAC) paradigm has decentralized security policies based on technology that has been developed over the years. With such policies, it is difficult to identify the permissions given to each user, and who has what access to which resources. With the advent of recent security-enhanced operating systems such as SELinux, this is no longer the case; the access control policy for almost all resources is now stored centrally and applied universally throughout the system. This is certainly more manageable but is not without costs. Firstly, such policies tend to be complex. Secondly, as more of such systems are developed, each system would have its own policy specification syntax. A system administrator who intends to evaluate or migrate to a new system would have to learn the syntax of the new system. In this paper, we propose a solution to this problem by introducing the initial design of a new policy specification language that can be used to represent access control policies for multiple operating systems. To serve its purpose, this language must be flexible enough to cater to many operating systems, while being sufficiently extensible to support the specific features of each target operating system. We present the criteria, features, and approach that we are using to design the language. We also describe the role of two systems - SELinux and Systrace - in the design of our language. We also discuss our consideration of ASL as a potential candidate language, and why we chose to design our own language instead.

Original languageEnglish (US)
Title of host publicationProceedings fron the Fifth Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC
Pages210-217
Number of pages8
StatePublished - Dec 1 2004
Externally publishedYes
EventProceedings fron the Fifth Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC - West Point, NY, United States
Duration: Jun 10 2004Jun 11 2004

Publication series

NameProceedings fron the Fifth Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC

Other

OtherProceedings fron the Fifth Annual IEEE System, Man and Cybernetics Information Assurance Workshop, SMC
CountryUnited States
CityWest Point, NY
Period6/10/046/11/04

ASJC Scopus subject areas

  • Engineering(all)

Fingerprint Dive into the research topics of 'Towards the specification of access control policies on multiple operating systems'. Together they form a unique fingerprint.

Cite this